[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] stateful / dynamic packet filtering on m0n0wall?
 Date:  Thu, 8 Dec 2005 17:46:05 -0500
On 12/8/05, Lewis Edwards <lewis dot edwards at esi dash group dash na dot com> wrote:
>
> I have a web server in a DMZ with only port 80 open to the world.  Right
> now, someone can telnet to port 80 and poke around with my Apache
> installation. Given the right person and the wrong installation, this can
> cause a lot of problems.  If m0n0wall had stateful (or dynamic) packet
> filtering then port 80 would only accept HTTP connections and the sysadmin
> could sleep (a little) easier.
>

What you're asking for isn't a "stateful" firewall, or "dynamic". 
m0n0wall is fully stateful, at layer 3 and 4.

What you're after is an application layer firewall.  I'm not aware of
any open source package that has good, fast, reliable application
layer filtering, on the network.  There are some crappy solutions
available for Linux, but I'd rather have none at all than something
buggy and slow.  There aren't any good open source options because all
the good commercial options are run in ASIC's.  Standard PC hardware
generally isn't a good fit for something like this.

However, running it on the web server itself, or on another box that
proxies web requests, is a good solution.  A better fit for Apache
would be mod_security, though I'm not sure if that runs on Windows or
not.  Someone else suggested a reverse proxy, and that's a great
solution.

The port being open on Windows makes absolutely no difference.  There
would have to be a hole in Apache for that to matter, and at that
point it probably wouldn't matter what OS you were running anyway. 
Not that each and every open port shouldn't raise legitimate concern,
your concern is just misplaced with Windows when Apache would be the
potential problem here.  In addition to previously mentioned things,
lock down both Windows and Apache as tightly as you possibly can. 
There are scads of resources with info on both.

-Chris